Hi all
I found a file in /usr/games/ which was a log of all successful logins.
User name and password got loged in plain text.

Due to this plain text passwords I considered sshd to be compromised and reinstalled the system to be sure there's no backdoor left.

Did anyone of you experienced something like this?

I couldn't find out how the logfile got back to the intruder.
No suspicious entries in /etc/[passwd|group|shadow].
No cronjobs. No open ports and nothing in mail.log

best regards
Michael

03-22-2010

unspawn

Quote:

Originally Posted by mjbohn

I couldn't find out how the logfile got back to the intruder.
No suspicious entries in /etc/[passwd|group|shadow].
No cronjobs. No open ports and nothing in mail.log

Unless you made a bit-by-bit backup of the whole disk you can still examine, these questions make sense only if you ask them prior to reinstalling the system.

* BTW, I hope "reinstalling the system" for you means completely reinstalling the system (not only re-installing OpenSSH). Since compromising sshd means root account rights you're strongly suggested to change all passwords on this machine (also check adjacent machines this one has access to), and not run any (publicly) accessible services until you properly hardened the machine. A basic post-incident outline you can find here if you need it: CERT/CC: Steps for Recovering from a UNIX or NT System Compromise, else feel free to ask specific questions.

03-22-2010

mjbohn

Thanks for your answer

Quote:

Originally Posted by unspawn

Unless you made a bit-by-bit backup of the whole disk you can still examine, these questions make sense only if you ask them prior to reinstalling the system.

Yes I know. I was just curious how this works. I guess the fake sshd did all the work. Sending back logs and providing backdoor.

And yes I did a complete reinstall :)
Now rkhunter, logwatch and fail2ban are helping me. I'm also thinking about using Samhain IDS. But that might be a bit over-sized for just a webserver

03-22-2010

unspawn

Quote:

Originally Posted by mjbohn

I guess

...and that's the problem. Without files, file names, logs the only thing that remains is guessing. Personally I'd rather deal with "evidence".

And your sshd may have been replaced as part of some kit but that does not automagically mean that the compromise happened through SSH as well. You may have ran something else that let the dogs in. In the kits I know about any component that will do logging will keep it stored in a local file for later retrieval, not send it.

Quote:

Originally Posted by mjbohn

Now rkhunter, logwatch and fail2ban are helping me. I'm also thinking about using Samhain IDS. But that might be a bit over-sized for just a webserver

In contrast to say Aide or tripwire (*shudder*), Samhain is an active integrity checker as it will schedule its own checks. While it can be used for a lot more it can easily alert you on say files dropped in your webservers docroot or directories holding temporary files. PHP still is one of the usual suspects. If you run it then you'll also want to run mod_security, maybe patch your Logwatch with something like this, and harden the server wherever you can. I hope that (next to all the docs your distro already may offer) you've got some good docs to guide you wrt hardening?

03-22-2010

mjbohn

Quote:

Originally Posted by unspawn

In contrast to say Aide or tripwire (*shudder*), Samhain is an active integrity checker as it will schedule its own checks.

OK I gonna get familiar with Samhain. Are you using it?
So I could probably come back with questions in case I need to?